Key Takeaways: Most websites use some form of technology to monitor and collect information about their users. These technologies may track behaviors of website visitors to provide an individualized web experience to each user in the form of tailored pop-ups, advertisements, and suggested materials. Although New York does not currently have a comprehensive state privacy law, New York Attorney General Letitia James has clarified that certain data collection practices may violate New York’s consumer protection law. On July 20, 2024, the New York Office of the Attorney General released the Business Guide to Website Privacy Controls (the “Guide”) to provide guidance as to how common data collection practices and technologies may violate New York consumer protection law as well as tips for remaining in compliance.

What Does Online Data Collection Look Like?

The most common method of online data collection uses cookies. Cookies are small text files created by web browsers when any user opens a website. The cookie is specific to the user and makes the user recognizable from one webpage to another. When a webpage recognizes a user, depending on the technologies the website operator has in place, an individualized web browsing experience with particular advertisements and pop-ups targeted to the user’s preferences and web history may be launched.

In addition to cookies, websites may utilize tags to track user activity. Tags are code patterns created in a webpage that connect a web user’s browser to a third-party service. Within the third-party service, the code patterns are translated into an individual identification saved as a cookie. When a user opens a web page, the tag follows, the cookie is retrieved, and the third party can recognize the unique user based on this cookie.

Web pixels, also known as tracking pixels or web beacons, may also be used to collect data from website users. These pixels are a small piece of code that is placed on a web page to collect data about users and their online activity and send the data to a third party. A website may utilize pixels to serve targeted ads, measure ad campaign performance, or track completed actions on a web page.

New York Attorney General Identifies Privacy Control Issues

In the absence of a comprehensive state law governing consumer data privacy, New York Attorney General Letitia James regulates the data privacy space through New York’s consumer protection law, which protects New York consumers from deceptive acts and practices of businesses operating in New York. Applying consumer protection law to online data privacy, businesses are required to ensure that all representations on their websites are truthful and not misleading. Businesses must ensure the privacy controls used online are clearly communicated to consumers and function properly. Both the language used to describe privacy controls and the process to opt out of data collection should be unambiguous. For example, if a pop-up cookie selection banner allows the user to close the banner, it must be clear whether closing the banner “accepted” or “declined” the cookies. Additionally, pop-ups or banners that allow a user to opt in or out of cookies or other online activity tracking should give equivalent options equal weight. This means that a user’s option to decline cookies or tracking should be just as clear and easy to use as the option to accept cookies or tracking.

Over a period of several months in 2024, the New York Office of the Attorney General conducted an investigation into websites with high amounts of traffic to put their privacy controls to the test. It determined that 13 websites, together serving more than 75 million consumers each month, had privacy controls that were noncompliant with the New York consumer protection law. For example, even after the user declined cookies or other tracking technologies, these websites continued to monitor user activity without the user’s consent.

Common Data Collection Issues

The investigation revealed that many websites include the same non-compliant features or tools. The Guide describes the following common data collection issues:

1. Miscategorized and uncategorized tags and cookies: Tracking technologies may be used for marketing, analytics, and fraud detection. Websites can categorize the tracking mechanisms used and then allow a user to select which types of cookies and tags are permitted with a consent management tool. For example, a consumer may disable marketing tags and cookies but keep fraud detection trackers active. For this practice to be effective, though, it is critical that all tags and cookies are properly classified. Otherwise, the active tags and cookies may not match the consumer’s preferences.
2. Misconfigured tools: Websites that use consent management tools may also use tag management tools. When using both tools, it is important that the tools can communicate preferences from one to the other. When misconfigured, a tag management tool may not receive signals from the consent management tool to limit active tags and cookies, and all will continue to operate.
3. Hardcoded tags: When tags are hardcoded into a website, a consent management or tag management tool does not have any control over cookies or tags. Instead, the tracking mechanisms will operate every time the web page is opened because they are hardcoded into the website.
4. Inconsistent tag privacy settings: Certain tags allow website operators to control the amount of information collected, but these limitations are sometimes enabled only in states with comprehensive data privacy laws. Because New York has not enacted a comprehensive data privacy law, businesses cannot solely rely on location-based privacy settings for compliance with New York’s consumer protection law.
5. Incomplete understanding of tag data collection and use: Information regarding tags and the data that a particular tag collects may not always be clear to the user. If a business employs any activity tracking mechanism on its website, the business should understand the types and scope of information that will be collected.
6. Undisclosed tracking and sharing: A user’s personal information may be directly shared with advertising companies, without the use of cookies or third-party tags. When this occurs, the website must provide information about these disclosures to ensure the consumer is not misled about the information collected and shared.

How To Prevent Data Collection Issues

The Guide establishes the following guidelines to help businesses combat online data collection issues.

1. Designate an individual or a team of individuals to be responsible for management and monitoring of data collection and tracking technologies.
2. Investigate the types of data that tags and cookies collect before implementing these technologies.
3. Notify consumers of the types of data the business collects and allow consumers to customize or opt out of the business’ data collection practices, such as through a pop-up or banner on the website.
4. Provide privacy and data collection information in plain language without ambiguity.
5. Ensure that any tag or other tracking tool deployed is appropriately categorized and configured to collect the right information.
6. Test tags and tools frequently to ensure they are operating as expected.
7. Review and correct issues as they arise.

Koley Jessen is committed to staying informed about developments related to data collection compliance and will offer guidance as new information emerges. If you have questions on whether your business is compliant with requirements related to online data collection, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for assistance.

^{*Special thanks to summer associate Sydney Mallum for her contributions to this article.}  

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}